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SPECIFICATION 

Improvements relating to computer systems 

5 This invention concerns improvements relating to 
computer systems and more particularly concerns 
the protection of host computers from unauthor- 
ised access via remote terminals coupled with the 
host computer over public communications net- 
10 works including the public telephone system. 
As is well known, it is customary to provide a 
user wishing to access a host computer, for exam- 
ple a database to be interrogated or searched by 
the user, with a unique user identification or pass- 
15 word and to provide at the host computer a table 
of user identifications for which access to the com- 
puter database is permitted. The user's terminal is 
customarily connected via a modem to the public 
telephone network, for example, which in turn con- 
20 nects via a corresponding modem with the host 
computer. The user, when wishing to access the 
host computer, calls the telephone number of the 
host computer, receives an answering tone when 
the telephone line connection is established, and 
25 then enters his user identification via his terminal 
keyboard; the user identification must be received 
and verified at the host computer in order for ac- 
cess to be provided. 
Whilst the provision of user identification pass- 
30 words to be verified at the host computer before 
access is permitted does provide a baseline level 
of security against unauthorised access, nonethe- 
less it does not in many situations provide for suf- 
ficient security. Computer systems which can be 
35 reached through the public telephone system are 
potentially vulnerable to unauthorised acces by 
anyone who has by whatever means improperly 
come into possession of an authorised user identi- 
fication password and further sophisticated com- 
40 puter based techniques exist whereby 

unauthroised entry can be obtained once the dial- 
up telephone number of a computer facility has 
been obtained. 
To further protect against such fraudulent ac- 
45 cess, efforts have been made to implement less 
readily determinable user passwords, and also au- 
tomatic disconnection of the incoming terminal 
line has been utilised following a small number of 
invalid attempts to enter an acceptable password. 
50 A more recent proposal has been to provide a so- 
called port protection device external to the host 
computer's dial-up access ports, the port protec- 
tion device having on-board microprocessor intelli- 
gence which is used to provide a level of external 
55 password protection to any communication line. 
- The port protection device requires a potential dial- 
up terminal user to manually enter a password as 
a first step towards connecting with the host com- 
puter, and the device then compares this password 
60 with a table of valid user passwords stored in its 
own memory. Only if the user-entered password 
matches a previously stored password in the port 
protection device memory is the user enabled to 
proceed with the routine logging-on procedure at 
65 the host computer involving entry of a further 



password etc. 

As yet a further proposal, it has also been sug- 
gested to introduce a callback facility into a port 
protection device; since most legitimate users of a 
70 host computer system can be presumed to have a 
routine work station at a fixed location, the ration- 
ale behind the callback proposal is that the port 
protection device would instruct a user to hang-up 
once his password had been verified and then 
75 would call up a telephone number called from its 
own memory and associated in the memory with 
the password entered by the user; by this means 
only a user in possession of a proper password 
and located at the work station customarily associ- 
80 ated with that password would be able to access 
the host computer. 

According to the principal aspect of the present 
invention, it is proposed that the modems provided 
at each end of the data communication line, that is 
85 at the user's terminal end and at the host com- 
puter end, automatically carry out the password 
transaction(s) or interchange(s) without action or 
intervention by the user who, in accordance with 
the invention, is denied access to or control over 
90 the password(s). By this means, a very long and 
potentially Indeterminable password comprising 
virtually an infinite number of possible character 
combinations (that is to say a virtually infinite 
"keyspace" size) can be utilised; by automatic use 
95 of such a comprehensive password, which has 
many many more digits than could possibly be re- 
membered and manually entered at a terminal, 
and by not revealing the password to the terminal 
end user much greater security of access is in- 
100 sured. 

In a practical situation therefore, the conven- 
tional modems which would customarily be pro- 
vided at each end of the communication line would 
be replaced by special modems configured, in ac- 
105 cordance with the invention, to include means for 
exchanging the necessary password(s), and means 
to enable password(s) to be entered during manu- 
facture of the modem and, if desired, to the cus- 
tomer's specification, such means including, for 
110 example, provision in the modem of appropriately 
programmed memory media. Autodial facilities 
would also be associated with each of the modems 
or at least with the user end modem. 
In operation of a system in accordance with the 
115 invention, the user will by appropriate operation of 
his terminal cause his modem to initiate a call to 
the host's modem, which requires the user's mo- 
dem to transmit its preprogrammed password. On 
receipt of a valid password verified by comparison 
120 with a password store at the host modem, the 
host's modem authorises direct connection of the 
user to the host system. Should the host's modem 
fail to receive a valid password, connection to the 
host system will be prohibited. The rationale un- 
125 derlying the invention is thus that the terminal user 
need have no knowledge of the password(s), nor 
even of the host computer's telephone number if, 
for example, the terminal/host is a dedicated sys- 
tem, and thus a principal source for fraudulent ac- 
130 cess is eliminated. 
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The user's end modem may also be used in a 
conventinal data communications link, i.e. to a 
non-protected system. 
The system according to the invention can also 
5 incorporate a callback facility as aforesaid so as to 
further enhance the level of security provided by 
the system. With hitherto disclosed port protection 
devices incorporating a callback facility, entry of 
the passwords is (to our knowledge) by manual 
10 means; the present invention provides the facility 
for automatic transmission of the password by the 
user end modem. Further features which can be 
provided in a system in accordance with the pres- 
ent invention comprise the association of a status 
15 code and/or a time-of-access zone with each valid 
password. The status code can provide for imme- 
diate access of a special status authorised caller to 
the host computer thus bypassing the need for 
callback to be effected, and the time-of-access zone 
20 may be used to prevent an authorised user's ac- 
cess to the host computer at times other than 
those defined by his allocated time-of-access zone. 

In accordance with yet a -further aspect of the 
present invention, in order to enable a callback 
25 system to be utilised from any workstation location 
and to be utilied by users, such as travelling sales- 
persons for example, having mobile workstations 
with no fixed location and a variable telephone 
number, it is proposed that the host modem or 
30 port protection device, in response to verification 
of a received password transmitted by a user to* 
gether with the user's current telephone number 
location, generates a one-time short-term pass- ' 
. word and transmits it back to the user's location. 
35 The user then has to re-dial the host computer and 
can obtain access only by use of the one-time 
short-term password within a predetermined short 
time period of the original password entry. The re- 
dialling of the host computer could be effected by 
40 means of autodial equipment provided in the mo- 
dem at the user's terminal end, the user's end mo- 
dem receiving and temporarily holding the one- 
time password transmitted by the host's modem; 
by this means the need for user knowledge or con- 
45 trol of passwords is completely removed thereby 
enhancing security. 

In the systems according to the invention, the 
passwords, the user status codes and time-of-ac- . 
cess zones, and the callback telephone numbers, or 
50 any of them, are not made accessible for modifica- 
tion by the standard user; that is to say, such data 
can be modified only at the command of an appro- 
priately authorised key person at the host com- 
puter location with such key person's access to the 
55 host computer itself being password controlled. 
Having thus described the concepts upon which 
the present invention is based and recognising the 
capability of the skilled technician in the data com- 
munications art readily to put the herein-disclosed 
60 inventive concepts into practical realisation without 
need for further explanation, it is considered that 
no further description of the present invention is 
required herein. Various features, alterations and 
modifications will occur to those, possessed of ap- 
65 propriate skills without departure from the spirit 



and scope of the invention. Basically the invention 
provides for security procedures to be completely 
hidden from the user and involves no user inter- 
vention. 

70 As yet a further feature, the invention could 
make use of encryption techniques for yet higher 
levels of security. 

CLAIMS 

75 

1. A password-protected data communication 
system for transfer of data between remote user 
terminals and a host computer via public tele- 
phone networks or the like and wherein password 

80 transaction(s) and/or interchange(s) are automati- 
cally effected between special modems provided at 
the user terminal and at the host computer without 
action or intervention {other than call initiating ac- 
tion) by the user who is denied access to or control 

85 over the password(s). 

2. A system In accordance with claim 1 includ- 
ing a callback facility whereby, in response to re- 
ception at the host modem of an acceptable 
password, the host modem automatically seeks to 

90 connect the host computer with a predetermined 
user workstation location associated with the re- 
ceived password. 

3. A system in accordance with claim 2 wherein 
the host modem, in response to verification of a 

95 received password transmitted by a user together - 
with the user's current telephone number, gener- 
ates a one-off short-term password and transmits it 
back to the user's location, the user being enabled 
to access the host computer only by utilisation of 

100 such one-off short-term password within a prede- 
termined limited time period. 

4. A system in accordance with claim 3 wherein 
the modem at the user's location is adapted and 
arranged to automatically access the host com- 

105 puter by utilisation of said one-off short-term pass- 
word without intervention from the user. 

5. A system in accordance with any of the pre- 
ceding claims wherein the passwords utilised by 
the system incorporate user status and/or time-of- 

110 access zone codes. 



Printed In the UK for HMSO, D88I8935. 6788. 7102. 

Published by The Patent Office, 2S Southampton Buildings, London. 

WC2A 1AY. from- which copies may be obtained. 



